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The present invention relates to cryptographic devices such as those 
typically installed in smart cards and other devices, which may have 
vulnerability to power analysis attacks to obtain information therefrom. 

io Many cryptographic devices are implemented using microprocessors 

and associated logic on devices such as smart cards. It is often necessary to 
ensure that important data stored on smart cards, such as cryptographic keys 
and the like, is kept secure. A number of power analysis techniques have 
been published that facilitate the obtaining of data from the smart card that 

15 would otherwise, in the course of normal input and output operations, be 
securely encrypted. In particular, analysis of the power consumption of the 
logic performing an encryption or decryption operation may be used to 
establish the round keys used in the encryption or decryption operation. 



20 "Differential Power Analysis", www.cryptography.com and Messerges et a/: 
"Investigations of Power analysis Attacks on Smartcards", Proceedings of 
USENIX Workshop on Smartcard Technology, May 1999, pp. 151-161. The 
power consumption of a smart card is conventionally strongly related to the 
number of bit transitions occurring at each clock pulse. Statistical analysis of 

25 the power dissipation of the smart card during successive cycles of a 
cryptographic algorithm has been shown to yield sufficient information to 
obtain the cryptographic keys in use. 

Differential power analysis attacks rely on correlation between the 
power dissipation traces and the data processing operations of the processor 

30 logic and the ability to average many such traces over time. 



Such techniques are discussed, for example, in Kocher et ah 
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It is an object of the present invention to provide a power supply and 
mode of operation of a cryptographic processor that improves the security of 
' " "cryptographic processors against poweranalysis-attacksr 

According to" one "aspect, the present invention provides a data 
5 processing device including: 
a processor, 

a charge storage device coupled to the processor, 
a current source for supplying the processor with operating current, and 
ada pted to vary its output current independently of t he instantaneous po wer 
10 demand of the processor. 

According to another aspect, the present invention provides a method 
of operating a data processing device, comprising the steps of: 
drawing current from an external supply; and 

cyclically apportioning drawn curren t betwe en a charge storage device 
is ""and a procesTor^thkTthe data"procelsing device such that the drawn current 
varies independently of the instantaneous power demand of the processor. 

Embodiments of the present invention will now be described by way of 
example and with reference to the accompanying drawings in which: 
20 Figure 1 illustrates a power supply for a processor according to a 

preferred embodiment of the invention; 

Figure 2 shows a schematic diagram illustrating the various functional 
blocks of the power supply of figure 1; and 

Figure 3 is a graph illustrating the current switching control of a 

25 preferred power supply. 

With reference to figure 1, various possible embodiments of a DC - DC 
converting power supply for a cryptographic processor are now described. 

A current source 10 draws current from a supply voltage V cc and 
30 supplies a current loo to a processor 1 1 . The processor 1 1 may be any form of 
data processing logic circuitry. A decoupling capacitor C receives current from 
~the"cur^ 10 
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exceeds the requirements of the processor 1 1 , and supplies current to the 
processor when the current supplied by the current source falls short of the 
requirements of the processor. The function of capacitor C could also be 
implemented by any suitable alternative charge storage mechanism. 

5 In a first embodiment, the current source 10 comprises a first current 

source 12 which supplies substantially constant current l C c at two different 
current levels. A first one of these current levels is higher than an average 
demand of the processor and the second one of these current levels is lower 
than an average demand of the processor 11. Switching between the current 

10 levels occurs on a periodic or aperiodic basis as will be illustrated later. 

During periods in which the first one of the current levels is being 
delivered, the voltage V D d supplied to the processor will rise, as excess current 
is stored in the capacitor C. During periods in which the second one of the 
current levels is being delivered, the voltage V D d will fall, as the shortfall in 

15 current is supplied (discharged) from capacitor C. 

The result is a saw tooth voltage V DD . Over a period of time, the 
average current Ice supplied by the current source 10 will be equal to the 
average current demand I D d of the processor. However, it will be noted that 
the instantaneous values of current Ice supplied by the current source 12 very 

20 rarely match the instantaneous values of current demand I D d of the processor 
11. 

The switching of the current levels of the current source 12 is 
determined independently of the instantaneous activities of the processor, so 
that the frequency and phase of the saw tooth voltage Vdd do not reflect the 

25 immediate activities of the processor. In other words, frequency and phase of 
the voltage Vdd are not linked to an internal clock frequency of the processor, 
nor to data manipulation operations being carried out by the processor 1 1 . 

The control of the current source 12 typically will also include some 
hysteresis, which is advantageous in maintaining a lack of correlation between 

30 the processor activity and the frequency and phase of the saw tooth voltage 
V DD . 



# 




4 



PHNL 020 



The processor 1 1 is controlled by an internal oscillator clock of which 
the frequency is voltage dependent. Typically, the lower the voltage supply 
Vim to the processor, the lower the cioclTTfequency of~the~n5rocessoTr 
Conversely, the higher the voltage supply Vdd to the processor, the higher the 



procedure performed by the processor (for example, a RSA calculation or a 
DES / AES encryption / decryption operation) will depend upon the level of the 

supply voltage V D d- 

In a differential power analysis attack, it is necessary to align many 
successive power traces so that corresponding processing operations are 
aligned in the time axis and can be averaged. This becomes very much more 
difficult when the frequency of operation of the processor is continually varying, 
because the effective time base of successive power traces is continually 
changing. 

The processor might also be asynchronously designed, which will also 
result in the duration of any procedure performed by the processor being 
dependent upon the level of supply voltage V D d- 

In a further embodiment, the current source 10 may include, in addition 
to bi-level current source 12, a second current source 13 which is adapted to 
deliver a pseudo-noise current component l N to the current supply. The noise 
current l N varies on a random or pseudo-random basis. The second current 
source 13 may be operated in a number of different ways. 

When l N is controlled by a pseudo-noise generator it will hide the trigger 
points that are necessary in a differential power analysis attack in order to 
provide a reference point on the time axis, to align multiple traces for 
averaging. The pseudo-noise generator therefore makes triggering of suitable 
analysis equipment (eg. a digital sampling oscilloscope) even more difficult. 

If the clock of the pseudo-noise generator 13 has a fixed frequency, 
then analysis of power traces by adding a number of power traces will filter out 
the noise. However, the bigger the amplitude of the noise current In, the more 
traces are needed to remove the noise and the greater the blurring of target 



clock frequency of the processor. This means that the duration of any 



t» 
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patterns and spikes in the power traces. Therefore, the noise current In is 
preferably a significant proportion of the bi-level current Ice. 

Preferably, the peak value of the pseudo-noise current In is smaller than 
the bi-level current l C c supplied by the first current source 12. In a preferred 
5 arrangement, the peak noise current In lies approximately in the range 5 to 
10% of the bi-level current l C c supplied by the first current source 12. 

In a preferred arrangement, the pseudo-noise generator 13 is initialised 
for each instruction sequence of the processor 11. If the pseudo-noise 
generator is initialised for each instruction sequence of the processor, then the 
10 noise pattern will be the same in each power trace for that instruction 
sequence. Thus, when adding the power traces to try to remove noise, the 
noise pattern will be enhanced rather than averaged out. In this case, the 
differential power analyst must first determine the noise pattern and subtract it 
Jcom_each^power_trac^Jiefore„ adding, the power traces together. Every 
15 mismatch between the true noise pattern and the deduced pattern that is 
subtracted will then add together resulting in spurious spikes in the averaged 
trace. These spikes may successfully hide the true data spikes that the 
analyst is seeking. 



20 the same clock as the processor 1 1 , and the noise generator is initialised for 
each instruction sequence of the processor. In this way, the noise is 
substantially repeated. Adding a number of power traces together will result in 
a substantially constant noise signal. Some parts of the noise traces will add 
together and other parts will be cancelled out. Adding more traces or 

25 subtracting traces will not be effective at removing the noise component. 

With reference to figure 2, the regulation of the current source l C c will 
now be described. 

In the preferred arrangement, the regulation of the current source 10 is 
performed automatically such that the average current Ice ( + 'n if a noise 

30 current generator 13 is included) supplied by the current generator 10 will 
match the average current demand of the processor 11. 



In a further arrangement, the pseudo-noise generator 13 is clocked by 
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The current regulator adapts the operation of the current supply when 
the average current demand Idd of the processor varies overtime. 

"The supply~voltage V D d is permittel3 _ to^aTy"l5etween an uppervoltage~ ' 
level and a lower voltage level which are within the operating specification of 
5 the processor, such that the processor can be guaranteed to operate correctly. 
The current generator 10 must vary current level such that at the higher 
current level, the processor supply voltage V D d tends to rise, and such that at 
the lower current level the processor supply voltage V D d tends to fall. The 
upper levej of V D d could be fixed by a zener diode D (figure 1) to prevent 
10 damage to the processor. 

In the preferred arrangement of figure 2, a current switch control circuit 
20 is operative to switch the current source 12 between a first, higher current 
level and a second, lower current level. The first current level is sufficient to 
cause the voltage V D d to rise under normal operation of the processor 1 1 . The 
15 second current level is sufficient to cause the voltage V D d to fall under normal 
operation of the processor 1 1 . 

A threshold detection circuit 23 monitors V D d and detects a rise (or fall) 
of V D d to the upper (or lower) threshold levels. Upon reaching the higher 
threshold voltage level, the current switch control circuit 20 switches the 
20 current supply Ice to its second (lower) current level. Upon V D d reaching the 
lower threshold voltage level, the current switch control circuit 20 switches the 
current supply 10 back to its first (higher) current level. 

In a preferred arrangement, a timer circuit 22 is provided which is 
started when the upper threshold voltage is detected. The timer circuit 22 then 
25 determines the time period t for the processor supply voltage V D d to reach the 
lower threshold voltage. The operation of this timer circuit 22 is illustrated 
graphically in figure 3. 

The timer circuit 22 determines whether the time period t falls within a 
permissible window t max to t min . If the time period lies between t max and t mtn 
30 (example t 2 ), no action is taken. If the time period is less than t mln (example U), 
this is communicated to a current level setting circuit 21 which operates to 
increase the second (lower) current level. If the time period is greater than t max 
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(example f 3 ), this is communicated to the current level setting circuit 21 which 
operates to decrease the second (lower) current level. Preferably, the 
adjustments to the current levels are made incrementally. The system will 
always move towards an operation condition in which the downward path of 
5 the saw tooth wave pattern of V D d has a period between t max and f m/n . 

A similar control arrangement may be applied, mutatis mutandis, to the 
first (upper) current level using the timing of the upward path of the saw tooth 
wave. 

In^tas^ayH^e^eriG^ voltage^evel-V DD -may be maintained 

10 within predetermined bounds and the current source is controlled so as to vary 
the voltage output Vdd to the processor independently of the instantaneous 
power demand of the processor. 

If the current demand of the processor increases significantly, it is 
possible that the first 7 (upper) level current-is-insufficient to increase V D d. If this 
15 occurs, an override circuit 24 may come into operation to override the normal 
operation of the current level setting circuit 21 and/or current switch control 
circuit 20. 

For example, override circuit 24 may detect that V D d remains below the 
lower voltage level for a predetermined time. If this occurs, the override circuit 
20 24 may trigger the current level setting circuit 21 to set the highest possible 
current level. It may also be configured to prevent the current switch control 
circuit 20 from further switching or vary the switching period until V D d has 
recovered. 

Alternatively, override circuit 24 may sense a non-rising V D d during a 
25 first (upper) level current phase and perform a similar action. 

If the current demand of the processor decreases significantly, it is 
possible that the second (lower) level current is too high to decrease V D d. If 
this occurs, the override circuit 24 may come into operation to override the 
normal operation of the current level setting circuit 21 and/or current switch 
30 control circuit 20. 

For example, override circuit 24 may detect that V D d remains above the 
higher voltage level for a predetermined time. If this occurs, the override 



• 
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circuit 24 may trigger the current level setting circuit 21 to set the lowest 
possible current level. It might also prevent the current switch control circuit 20 

" "f|^ftrtr^ _ swifcTi 

Alternatively, override circuit 24 may sense a non-rising V D d during a 
5 first (upper) level current phase and perform a similar action. 

In an alternative embodiment, a fixed first (higher) current level may be 
used and only the second (lower) current level varied. In a still further 
embodiment, a fixed second (lower) current level may be used and only the 
first (upper) current level varied. The second (lower) current level may be as 
10 low as zero. 

The zener diode D may be used to clamp the voltage and consume any 
surplus cunent. For low supply voltages of, for example 1.8 V, it may be 
difficult to obtain a good zener diode. In such a case, the zener diode D could 
be replaced with another voltage clamping arrangement, for example a voltage 
15 comparator and transistor. 

In a general sense, it will be noted that the effect of the circuits 
described above is to cyclically apportion current that is drawn from an 
external supply rail V C c between a processor 1 1 and a charge storage circuit 
10 in such a manner the current drawn from the external supply Vcc varies 
20 independently of the instantaneous power demand of the processor. The 
control circuitry ensures, however, that the instantaneous and average power 
demands of the processor are always met. 

The decoupling capacitor C filters out most of the high frequency 
variations in current supply l C c- The bi-level constant current source 12 
25 producing l C c also decreases any high frequency variation in the external 
supply current drawn from supply rail V C c as a result of critical data switching 
operations within the processor 11. The capacitor C also suppresses voltage 
spikes on the supply voltage that may temporarily shut off the current source, 
because the capacitor maintains cunent supply to the processor 11. This also 
30 applies to voltage spikes that are induced by an attacker to influence the 
processor's activity. This may include spikes that are purposefully timed by an 
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attacker so as to prevent a critical operation of the processor being performed 
and thereby cause leakage of useful information. 

Broader spikes or interruptions in the power supply V C c, for which the 
capacitor C is unable to sustain power to the processor 1 1 are conventionally 
5 dealt with by appropriate processor reset circuitry (not shown). 

For additional security, the internal oscillator of the processor 11 should 
be made immune from influence by external factors, such as varying the 
voltage supply V C c. Supply voltage variations outside certain predefined limits 
preferably will initiate processor or system reset using control circuitry known 
10 in the art. 

The repeating changes in the current source 12 output current Ice 
makes triggering in a differential power analysis attack difficult. In addition, the 
varying speed of the processor 1 1 resulting from the saw tooth supply voltage 
V D d means that power traces will not correctly align with one another, in that 

15 the time base will be varying from trace to trace. 

The invention has been described with reference to an embodiment in 
which the current source 10 includes a bi-level constant current source 12, 
which results in a saw tooth supply voltage Vcc- It will be understood that the 
principles of the invention can also be effected using a current source 10 

20 adapted to switch between multiple discrete levels, which would result in a 
supply voltage V D d that has a very much more complex profile. 

Similarly, the current source 10 may be adapted to vary output current 
continuously between two predetermined levels providing that a continuously 
varying voltage Vdd is achieved. The function of the cyclically varying output 

25 of the current source 12 is to ensure that the processor supply voltage Vdd 
varies over time as a function of some parameter which is not linked to 
instantaneous power demand of the processor. 

It will be understood that for security against power analysis attacks on 
the processor 11, it is important that the voltage node V D d is not accessible to 

30 an external probe. Therefore, the processor 1 1 , capacitor C (or other charge 
storage device), and current source 10 are preferably integrated onto a single 
integrated circuit (or formed as separate devices within a single sealed device 



• 
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package) for which there is no indication (direct or indirect) of the voltage V D d 
provided at any of the output pins of the package. 

Qt ne --^^ odjments are intentionally within th^"scT5pe~oTthB - appencted- - 

claims. 

5 




1 . A data processing device including: 
a processor; 

5 a charge storage device coupled to the processor; and 

a current source for supplying the processor with operating current, and 
adapted to vary its output current independently of the instantaneous power 
demand of the processor. 

10 2. The device of claim 1 in which the charge storage device 

comprises a capacitor in series with the current source, and across which the 
processor is connected in parallel. 

3. The device of claim 1 or claim 2 in which the current source is 
is adapted to periodically or aperiodically switch between two different current 
levels. 



4. The device of claim 1 or claim 2 in which the current source is 
adapted to periodically or aperiodically switch between multiple current levels. 

20 

5. The device of claim 3 or claim 4 in which the interval between 
switching current levels is determined by an average power demand of the 
processor. 

25 6. The device of claim 1 in which the current source comprises: 

a first current source adapted to provide substantially constant current 
at at least two different current levels, the first current source switching 
between current levels on a periodic or aperiodic basis; and 

a second current source adapted to provide a noise current that varies 
30 on a random or pseudo-random basis. 
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7. The device of any preceding claim further including control 
means adapted to maintain the supply voltage to the processor between an 
upper voltage lirnTandVlower voltagelifffifT - - - • 

5 8. The device of any preceding claim further including a zener diode 

adapted to maintain the supply voltage to the processor below an upper 
voltage limit. 

9. The device of claim 7 in which the control means includes current 
io switching means for switching the current source between a first, higher 
current level and a second, lower current level, the current switching being 
triggered by the supply voltage to the processor respectively reaching the 
lower voltage limit and the upper voltage limit. 

15 io. The device of. claim 9 further including a timer for determining a 

time period taken for the processor supply voltage to reach a lower voltage 
limit from an upper voltage limit, or vice versa. 

1 1 . The device of claim 10 further including current setting means for 
20 varying the first current level and / or the second current level of the current 

source if the timer determines that the time period falls outside predetermined 
limits. 

12. The device of claim 1 1 in which the current setting means raises 
25 the first current level if the timer determines that the time period for reaching 

the lower voltage limit falls below a first predetermined threshold. 

13. The device of claim 11 or claim 12 in which the current setting 
means reduces the first current level if the timer determines that the time 

30 period for reaching the lower voltage limit exceeds a second predetermined 
threshold. 
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14. The device of claim 11 in which the current setting means 
reduces the second current level if the timer determines that the time period for 
reaching the upper voltage limit falls below a first predetermined threshold. 

15. The device of claim 11 or claim 12 in which the current setting 
means raises the second current level if the timer determines that the time 
period for reaching the upper voltage limit exceeds a second predetermined 
threshold. 



10 16. The device of claim 9 in which the control means includes means 

for temporarily inhibiting the current switching means if the supply voltage to 
the processor fails to move towards the desired upper or lower voltage limit. 



— ~-17. The device- of claim 1 in which -the processor has an internal 
15 clock, the frequency of which is dependent upon the supply voltage to the 
processor. 

18. The device of any preceding claim in which the processor is a 
cryptographic processor. 

20 

19. The device of any preceding claim incorporated into a smart 

card. 



20. A method of operating a data processing device, comprising the 
25 steps of: 

drawing current from an external supply; 

cyclically apportioning drawn current between a charge storage device 
and a processor within the data processing device such that the drawn current 
varies independently of the instantaneous power demand of the processor. 

30 

21. The method of claim 20 further including the step of using the 
drawn current to generate a current flow to the processor and the charge 
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storage device, that is periodically or aperiodically switched between two 
different current levels. 



22. The method of claim 20 further including the step of using the 
5 drawn current to generate a current flow to the processor and the charge 
storage device, that is periodically or aperiodically switched between multiple 
different current levels. 



23. The method of claim 21 or claim 22 further including the step of 
10 determining the interval between switching according to an average power 

demand of the processor. 

24. The method of claim 20 further including the steps of: 

using a first current source to deliver substantially constant current at at 
is least two different current levels, switching the first current source between 
current levels on a periodic or aperiodic basis; 

using a second current source to provide a superposed current that 
varies on a random or pseudo-random basis and 

delivering the combined current of the first and second current sources 
20 to the processor and the charge storage device. 

i 

25. The method of any one of claims 20 to 24 further including the 
step of maintaining a supply voltage to the processor between an upper 
voltage limit and a lower voltage limit. 

25 

26. The method of claim 25 further including the step of switching a 
current source between a first, higher current level and a second, lower current 
level, when the supply voltage to the processor respectively reaches the lower 
voltage limit and the upper voltage limit. 

30 

27. The method of claim 26 further including the steps of: 
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determining a time period taken for the processor supply voltage to 
reach a lower voltage limit from an upper voltage limit, or vice versa, and 

varying the first current level and / or the second current level of the 
current source if the time period falls outside predetermined limits. 

5 

28. The method of claim 27 further including the step of raising the 
first current level if the time period for reaching the lower voltage limit falls 
below a first predetermined threshold. 

10 29. The method of claim 27 or claim 28 further including the step of 

reducing the first current level if the time period for reaching the lower voltage 
limit exceeds a second predetermined threshold. 

30. The method of claim 27 further including the step of reducing the 
15 second current level if the time period for reaching the upper voltage limit falls 

below a first predetermined threshold. 

31. The method of claim 27 or claim 28 further including the step of 
raising the second current level if the time period for reaching the upper 

20 voltage limit exceeds a second predetermined threshold. 

32. The method of claim 26 further including the step of temporarily 
inhibiting the current switching if the supply voltage to the processor fails to 
move towards the desired upper or lower voltage limit. 

25 

33. The method of claim 20 further including the step of controlling 
the frequency of operation of the processor as a function of the supply voltage 
to the processor. 



30 34. A data processing device substantially as described herein with 

reference to the accompanying drawings. 
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35. A method of operating a data processing device substantially as 
described herein with reference to the accompanying drawings. 



* • 

ABSTRACT 

CURRENT SOURCE FOR CRYPTOGRAPHIC 
PROCESSOR 

5 

To provide increased security against differential power analysis 
attacks, a data processing device is provided with a current converter that 
draws current from an external supply and cyclically apportions drawn current 
between a charge storage device and a processor such that the drawn current 

10 varies independently of the instantaneous power demand of the processor. 
The data processing device includes: a processor; a charge storage device 
coupled to the processor; and a current source for supplying the processor 
with operating current, and adapted to vary its output current independently of 
the instantaneous power demand of the processor. 

15 [Fig. 1] ' 
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